Skillv1.1.0

ClawScan security

Idea Storm · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 14, 2026, 10:38 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it says (automated experiment loop + Notion logging) but it reads local agent config for provider API keys and injects them into a Docker sandbox (and uses a 'dangerously-skip-permissions' flag) without declaring those secrets — this mismatch is risky and unexplained.
Guidance: This skill largely matches its stated goal, but it has important mismatches you should address before installing: - The run-sandbox.sh script reads your OpenClaw agent config (openclaw.json) to extract model/provider API keys and injects them into a Docker image named 'idea-lab-sandbox'. That file may contain other secrets; the skill metadata does not declare this. Do not allow this unless you explicitly trust the container image and understand which keys are being used. - The skill also expects a NOTION_TOKEN and database ID (used to write experiment pages) but did not declare required env vars in the registry. Provide a dedicated Notion integration token with least privilege and store it separately rather than relying on undeclared variables. - Inspect and vet the Docker image 'idea-lab-sandbox' before running: verify its source, contents, and whether it exfiltrates data. Prefer to run the sandbox image in an environment with limited network access and with only the experiment directory mounted (not the whole workspace), or run the code locally without Docker. - Consider modifying run-sandbox.sh to avoid reading openclaw.json. Instead require the user to pass an explicit sandbox API key or configure a dedicated service account for sandboxing. Remove the '--dangerously-skip-permissions' flag or understand why it's needed. - If you cannot verify the container or do not want to share provider credentials, decline running the sandbox and use the skill in a manual mode (have the agent produce code and run it yourself), or request the maintainer to remove the secret-extraction behavior and to declare required env vars/config paths in the skill metadata. Because these issues involve undisclosed credential access and running arbitrary container code with mounted files, treat the skill as suspicious until those concerns are resolved.
Findings: [reads_openclaw_config] unexpected: scripts/run-sandbox.sh reads OPENCLAW_CONFIG (default /root/.openclaw/openclaw.json) and extracts ['models']['providers']['cc']['apiKey'] and baseUrl. Reading internal agent config to obtain provider keys is not declared and not expected for a Notion-backed experiment logger. [passes_api_key_to_docker_env] unexpected: The same script sets ANTHROPIC_AUTH_TOKEN and ANTHROPIC_BASE_URL env vars for the Docker container using the extracted values. Passing agent model credentials into an arbitrary container increases risk of credential exposure/exfiltration. [dangerously_skip_permissions_flag] unexpected: The container command includes 'claude --print --dangerously-skip-permissions', which indicates bypassing permission enforcement; this further reduces protections and is unexpected in a well-scoped skill.

Review Dimensions

Purpose & Capability: noteThe declared purpose (automating design→implement→validate experiments and storing results in Notion) aligns with the provided files: an image-compare script, Notion API examples, and a sandbox runner. However the skill also reads the agent's local config to extract model provider API keys and base URLs (see run-sandbox.sh). That access to agent model credentials is not mentioned in the skill metadata or description and is not necessary to the stated high-level purpose if a user provides or configures a separate sandbox credential. This is an unexpected privilege.
Instruction Scope: concernSKILL.md and scripts instruct reading/writing experiment state files and calling Notion — reasonable. But run-sandbox.sh specifically reads /root/.openclaw/openclaw.json (or OPENCLAW_CONFIG) to extract provider apiKey/baseUrl, mounts the experiment workspace into a container, and runs 'claude --dangerously-skip-permissions'. These steps cause the agent to read internal config and expose provider credentials to an external Docker image and bypass permission checks; that goes beyond the documented scope and is a clear scope creep / data-exfiltration risk.
Install Mechanism: concernThere is no formal install spec (instruction-only), which limits static install risk. However run-sandbox.sh expects and will docker pull/run an image named 'idea-lab-sandbox' (an arbitrary container image). Running an externally provided image with a mounted workspace and injected credentials is a significant runtime risk: the image can execute arbitrary code with access to mounted files and any env vars passed in.
Credentials: concernThe registry metadata declares no required env vars or config paths, but the docs and scripts require/expect NOTION_TOKEN/IDEA_LAB_DB_ID and — crucially — read the agent's openclaw.json to extract model provider API keys. Access to the agent's model API keys (and implicitly other config in openclaw.json) is disproportionate to a Notion-logging/experiment orchestrator and is not declared. Passing those keys into the sandbox container is especially problematic.
Persistence & Privilege: noteThe skill is not force-installed (always:false) and does not request persistent system-level modifications. However it is designed to spawn background child agents and to run Docker sandboxes that mount workspace directories and receive provider credentials. Autonomous invocation combined with the credential-access behavior increases blast radius if the spawned or containerized code is malicious; this combination is noteworthy although the skill itself is not marked always:true.